InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Are you excited to pursue a cybersecurity career but unsure where to begin? Whether you’re a student, an incoming professional, or ready to work in a different field, the tried-and-tested career hacks in this eBook will help you get your start in cybersecurity
Inside the eBook
Cybersecurity Is Hot! Current Market Conditions
Where Entry-Level Lands You
Cybersecurity Career Hacks for Students, Incoming Professionals and Career-Changers
DECIPHERING WEBWYRM: AN IN-DEPTH ANALYSIS OF THE PERVASIVE MALWARE THREATENING GLOBAL CYBERSECURITY
In the intricate landscape of global cybersecurity, Webwyrm malware has surfaced as a formidable adversary, casting its ominous shadow across 50 nations and leaving in its wake over 100,000 compromised victims. This insidious digital menace successfully emulates in excess of 1000 reputable companies globally, with the ensuing potential financial fallout estimated to surpass a staggering $100 million. It is imperative for cybersecurity professionals and organizations alike to comprehend the multifaceted nature of this threat to devise and implement robust defensive strategies effectively.
THE EVOLUTIONARY TRAJECTORY OF WEBWYRM
In the dynamic realm of cyber threats, malicious actors incessantly refine their Tactics, Techniques, and Procedures (TTPs), exploiting extant vulnerabilities and augmenting the efficacy of their malicious campaigns. Webwyrm epitomizes this relentless pursuit of evolution, embodying a level of sophistication reminiscent of infamous cyber threats of yore, such as the notorious ‘Blue Whale Challenge.’
REFINED MODUS OPERANDI
WebWyrm malware orchestrates a complex, deceptive narrative aimed at duping unsuspecting job seekers into relinquishing their cryptocurrency. Initiating contact predominantly via WhatsApp, the malefactors likely leverage data procured from employment portals to pinpoint and engage individuals predisposed to their deceptive overtures. Prospective victims are enticed with promises of lucrative weekly remuneration, ranging between $1200 and $1500, contingent upon the completion of daily task “packets” or “resets.”
Upon transferring funds into designated cryptocurrency wallets, victims are led to believe that the completion of tasks results in monetary withdrawals from their accounts, which are subsequently returned along with additional commissions. The introduction of “combo tasks” promises substantial financial returns but necessitates a more considerable investment. However, the caveat is that these returns are accessible only upon the sequential completion of all combo tasks, with each task demanding a progressively larger investment.
CAMPAIGN ENABLERS: TECHNICAL INSIGHTS
WebWyrm’s campaign is characterized by its sophistication, adaptability, and elusive operational framework. The initiative employs dedicated personnel engaging with victims via various platforms, thereby lending an aura of legitimacy and support to their endeavors. The orchestrators have meticulously crafted approximately 6000 counterfeit websites, directing victims to register their accounts. These platforms are expertly designed to mimic legitimate enterprises, with a keen focus on geo-targeting and associated contact numbers reflecting the respective victim’s geographical location.
Moreover, the malefactors astutely navigate the ephemeral nature of their infrastructure, allocating specific IP addresses or Autonomous System Numbers (ASNs) to host counterfeit domains for limited durations. This modus operandi facilitates operational continuity and anonymity, allowing for a swift transition to alternative infrastructure in response to potential threats, thereby effectively circumventing detection mechanisms.
INDUSTRIES IN THE CROSSHAIRS
Webwyrm has indiscriminately targeted a plethora of industries, including:
IT Services
Software Development
Mobile App Development
User Experience Design
Digital Marketing
Web Development
SEO
E-Commerce
DEFENSIVE COUNTERMEASURES
Effective defense against Webwyrm necessitates the adoption of several countermeasures:
Origin Tracing of Malefactors via Employment Portals
Collaborative Defensive Initiatives
Deployment of Rapid Response Teams
Implementation of Domain Blacklisting Protocols
Asset Seizure
Launch of Educational Awareness Campaigns
With the incorporation of these enhanced technical insights, it becomes abundantly clear that WebWyrm represents a meticulously orchestrated, sophisticated operation with the singular aim of exploiting job seekers. The nuanced understanding of potential victims, coupled with a highly adaptive and elusive infrastructure, renders this a significant threat warranting coordinated, informed countermeasures to safeguard potential victims. Awareness, education, and the proactive deployment of defense mechanisms are pivotal in mitigating the risks associated with the WebWyrm malware campaign.
Kali Linux turns 10 this year, and to celebrate, the Linux penetration testing distribution has added defensive security tools to its arsenal of open-source security tools.
It remains to be seen if Kali Purple will do for defensive open source security tools what Kali Linux has done for open source pentesting, but the addition of more than 100 open source tools for SIEM, incident response, intrusion detection and more should raise the profile of those defensive tools.
For now, Kali is primarily known for its roughly 600 open source pentesting tools, allowing pentesters to easily install a full range of offensive security tools.
In this article, we’ll focus primarily on how to use this powerful OS to run a pentest and mistakes to avoid. We’ll give you an overview of what can be achieved with Kali Linux using a short selection of pre-installed tools. While this guide serves as an introduction to common pentesting phases, with practical examples that highlight best practices, it’s not a substitution for a complete professional pentesting methodology.
Chalk is a free, open-source tool that helps improve software security. You add a single line to your build script, and it will automatically collect and inject metadata into every build artifact: source code, binaries, and containers.
Gaining visibility
Chalk enables complete visibility across the development process, from the first time a developer creates the code to the entire lifetime a container hosting is running.
Chalk is a convenient tool for compliance by producing SBOMs, embedding code provenance details, and digitally signing them. You can then send these to your preferred location as a report. Additionally, without added effort, you can achieve SLSA level 2 compliance even before SLSA level 1 becomes a mandated standard.
Usage scenarios
“Interestingly, early design partners are constantly developing new use cases, but the classic ones are still unique because nothing else solves those today. The canonical one is knowing what code is in production and what is not. “Prod or not”. That basic use case means most users can shut off code scanning on the majority of their code repos, shutting down the noise and the busy work people have to do looking at it, but also saving massive amounts of money on wasted tools licenses,” Mark Curphey, Co-Founder of Crash Override, told Help Net Security.
“A great and topical one is automatically generating software security supply chain reports. Chalk will generate an SBOM, add build provenance data about where the code came from and who built it, something required by the US gov directives and where no other automated solution exists, and then to top it all, digitally signs it all in a report and sends it to a central report registry. That use case is huge, just huge,” he concluded.
Threat actors have been laundering currencies with multiple methods. One of the most predominant ways they have been using lately was the Cross-chain crime. In a cross-chain crime, threat actors swap their Cryptocurrency between different blockchains and tokens that help maintain their anonymity.
Moreover, this cross-chain crime is carried out using decentralized exchanges (DEXs) and cross-chain bridges. As with the increase in cybercriminal activities such as ransomware attacks, scams, or crypto thefts, this has become an increasingly preferred money laundering method for cybercriminals.
In addition to this, reports also suggest that more than $4.1 billion of illegal funds have been laundered through decentralized exchanges (DEXs), cross-chain bridges, and coin swap services.
This is estimated to rise to $6.5 billion by the end of 2023 and $10.5 billion by 2025. Another report indicates that $2.7 billion was laundered through cross-chain crime over just a 12-month period between July 2022 and July 2023.
Reason for High Adoption Rate
Threat actors and scammers generate revenue through illegal methods using this cross-chain crime for several reasons, which include the popularity of crypto assets excluding bitcoins among criminals, the anonymity it offers, and stable value assets as some of them are government-backed currencies (Tether (USDT) or DAI).
Another major reason for the adoption is that many cross-asset and cross-chain services other than centralized exchanges do not have ID verification. In addition to this, this method offers protection against tracing by using techniques like prolific asset- or chain-hopping.
Annual figures of cumulative illegal funds laundered (Source: Elliptic)
Furthermore, it has been discovered that the Lazarus group, responsible for several high-profile cyberattacks, had laundered over $900 million using this method.
Decentralized services (DEXs), cross-chain bridges, and coin swap services have been found to have laundered over $7 billion of illegal funds as of July 2023. Elliptic researchers have published a complete report about this method and other information.
MGM Resorts encountered a devastating cyberattack recently, incurring an approximate financial setback of $100 million. Unveiled on September 11, this digital attack led to the temporary shutdown of multiple systems within MGM’s various properties, disrupting operations and inflicting significant monetary losses.
DETAILS OF THE ATTACK
The digital onslaught on MGM Resorts wasn’t confined to a single property but spread across its flagship resort and other prestigious properties like Mandalay Bay, Bellagio, The Cosmopolitan, and Aria. The cybercriminals managed to disrupt a range of operations, from the functioning of slot machines and the systems overseeing restaurant management to the technology behind room key cards. Despite the containment efforts by MGM, the attackers successfully exfiltrated a diverse set of customer data, including but not limited to names, addresses, phone numbers, driver’s license numbers, Social Security numbers, and passport details. Fortunately, credit card details remained secure and unaffected.
ECONOMIC FALLOUT
The cyber intrusion had a profound economic impact on MGM Resorts, with losses estimated around $100 million. This financial blow is anticipated to ripple through the earnings of the third and fourth fiscal quarters. However, MGM remains optimistic, projecting a 93% occupancy rate in October and planning for a complete operational recovery in Las Vegas by November. Expenses related to the cyberattack, including consultancy fees, legal services, and other related costs, amounted to less than $10 million.
COMPROMISE OF CUSTOMER DATA
A vast array of customer data, from Social Security numbers to passport details, was pilfered during the cyber attack. The total count of individuals affected by this breach remains uncertain as MGM has not issued any comments on this matter. Proactive measures have been initiated by MGM Resorts to assist the victims of this data breach, including the establishment of dedicated phone lines and informational websites. The company also intends to reach out to the affected individuals via email, extending offers for identity protection services.
IDENTITY OF THE ATTACKERS
Initially, the cyberattack was attributed to hackers affiliated with a group known as Scattered Spider. This group later joined forces with a Russian ransomware collective known as Black Cat/AlphV. Scattered Spider has a notorious reputation, being implicated in several major cyberattacks over the past year, targeting entities like Reddit, Riot Games, Coinbase, and even another major player in the casino industry, Caesars Entertainment.
RECOVERY AND RESPONSE
In response to the cyberattack, MGM Resorts took immediate action by shutting down all its systems to thwart further unauthorized access to customer data. Since these initial countermeasures, the company’s domestic properties have seen a return to normalcy in operations, with the majority of systems that interact with guests being restored. Efforts are ongoing to bring the remaining affected systems back online, with full restoration anticipated in the near future.
CONCLUSION AND FUTURE IMPLICATIONS
The cyberattack experienced by MGM Resorts highlights the substantial risks and potential financial damages associated with digital security breaches in the hospitality sector. With the compromise of sensitive customer information and the incurrence of hefty financial losses, this incident serves as a stark reminder for all businesses in the industry to bolster their cybersecurity infrastructure to safeguard against future digital threats. The episode underscores the imperative for continuous investments in state-of-the-art cybersecurity mechanisms and protocols to preemptively mitigate the risks of future cyber-attacks and protect sensitive customer data.
Cybercriminal tactics continue to grow in number and advance in ability; in response, many organisations have seen the need to reach a security posture where their teams can proactively combat threats.
Threat hunting plays a pivotal role in modern organizations’ cybersecurity strategies. It involves actively searching for signs of advanced threats and vulnerabilities beyond passive defense mechanisms. The MITRE ATT&CK Framework is an industry-standard threat hunters can use to proactively ensure they have protection against new and evolving attacks. Automating these processes for threat hunting can advance any security team’s capabilities.
However, it can be challenging to integrate or collect security data for effective threat hunting. The number of security technologies often results in fragmented data and hinders a comprehensive threat-hunting approach. Automated threat hunting has become a solution that can advance the capabilities of any security team.
Understanding Disparate Security Technologies
Modern organisations employ a variety of security technologies to safeguard their digital assets. These include firewalls, intrusion detection systems, antivirus software, and endpoint protection. While effective, the sheer number of disparate security technologies poses challenges in centralising security data. Each solution generates logs and alerts, creating data silos.
The Problem of Non-integrated Security Data
Scattered security data creates several difficulties. Security teams grapple with a deluge of data from diverse sources, making identifying relevant threat indicators and patterns challenging. The absence of comprehensive visibility into potential threats leaves organisations vulnerable to increasingly advanced adversaries, who will exploit these data gaps. Inefficiencies plague threat-hunting processes because analysts must manually correlate data from various sources, slowing response times and increasing the likelihood of missing critical threats.
The Concept of Automated Threat Hunting
Automated threat hunting remediates the challenges inherent in integrating disparate security data. Security systems use advanced algorithms to streamline and enhance the threat hunting process. Automated threat hunting empowers security teams to pull security data from different technologies on demand, ensuring they have the right data.
Automating the MITRE ATT&CK Framework for Threat Hunting
Organizations should enhance the use of MITRE ATT&CK Frameworks in their threat hunting processes and techniques with automation to free up time and improve detection.
Automation #1: Pre-Built Response Playbooks
MITRE ATT&CK provides updated data sets of indicators of compromise (IOC) and techniques, tactics, and procedures (TTPs) that adversaries use. Threat hunters use this data to create procedures and processes around known threats to properly respond. Automation can save this set of procedures as a pre-defined playbook, which can be applied in the future for the same threat. It will also search across all data sources in your security environment for a comprehensive visibility into threats.
Automation #2: Collecting the Right Hunt Data
When collecting security data during a hunt, it’s common to collect too much or too little information. Pinpointing the right data saves time and increases hunt accuracy. MITRE ATT&CK frameworks ensure you have the correct data sources by telling you which to collect from logs, security systems, and threat intelligence. Automation allows you to save parameters for data collection of the right sources to apply for future hunts.
Automation #3: Penetration Testing/Red Teaming
Cyberattacks and tactics change all the time, and red/blue teaming are great exercises that help you understand where your proactive abilities are and your defence against them. Automation can provide a great lift here by automating simulations of known TTPS from MITRE Frameworks to fine-tune detection and response management.
Advantages of Automating Threat Hunting
Automating threat hunting allows security teams to effortlessly access security data from diverse technologies when needed, streamlining hunting and procedures, while reducing manual effort. Security analysts can swiftly identify suspicious activities and patterns, resulting in quicker threat detection. The accelerated detection and response to security incidents are crucial in today’s threat landscape. Automated threat hunting expedites the identification of threats, enabling organisations to respond promptly and mitigate potential damage.
The Role of the Security Operations Platform
A security operations platform offers a wide range of capabilities. It centralises security data from disparate technologies and provides security teams with a unified, real-time view of their environment, thus facilitating improved threat detection and response. An essential aspect of this platform is its ability to query security data from all technologies. This functionality ensures that all artifacts, regardless of their source, are examined, making it an invaluable tool in the hunt for threats.
Conclusion
Automating threat hunting via a security operations platform enhances efficiency, augments visibility, and expedites incident response. As we look to the future of cybersecurity, the seamless integration of security data will remain central to effective threat hunting, ensuring that organizations stay ahead of evolving cyber threats.
A recently discovered vulnerability in Microsoft Office Word has raised concerns over the security of the popular productivity suite.
This security flaw, classified as a Cross-Site Scripting (XSS) vulnerability, allows attackers to execute arbitrary JavaScript code within a Word document.
The XSS Vulnerability
Various Office products, including Microsoft Word, offer a feature that allows users to insert external videos into documents through the “Online Videos” tab.
The XSS Vulnerability
When a user attempts to play an external video embedded in a document, the Office checks to determine whether the source of the external video is trustworthy.
This check involves applying a regular expression to the video’s URL, which includes trusted sources like YouTube.
If the source is deemed trustworthy, the Office requests to fetch data such as the video’s title or thumbnail. However, the vulnerability arises in how Office handles the video’s title within the HTML iframe tag.
The server responds with information, including the video’s title, description, and the HTML iframe tag.
The issue is that the server adds the video’s title to the “title” attribute of the iframe tag without proper validation.
As a result, attackers can manipulate the iframe tag by adding an “unload” attribute, enabling them to inject arbitrary JavaScript code.
Exploitation
To exploit this vulnerability, an attacker can create a YouTube video with a title that includes a payload for inserting the “onload” attribute, reads the PKsecurity report.
Then, they insert the URL of this malicious video into a Word document using the Online Videos tab. When the video is played, the injected JavaScript code is executed.
Exploitation
Here is a simplified overview of the steps an attacker would take to exploit this flaw:
Create a YouTube video with a payload in the title.
Insert the URL of the malicious video into a Word document.
Set up a web server to serve malicious JavaScript code.
Implications
This vulnerability allows attackers to execute arbitrary JavaScript code when a video embedded in a Word document is played.
While it may not seem immediately alarming, it’s worth noting that past critical exploits in Office applications often began with the execution of arbitrary JavaScript.
Exploiting this vulnerability could potentially lead to a critical Remote Code Execution (RCE) vulnerability if combined with a new vulnerable Uniform Resource Identifier (URI).
This makes it crucial for Microsoft to address and patch this issue promptly. The Microsoft Office XSS flaw underscores the importance of keeping software up to date and being cautious about the content embedded in documents.
Users should be aware of potential security risks associated with video content, especially when it comes from untrusted sources.
The team at Qualys Threat Research Unit has unveiled a fresh vulnerability within the Linux operating system, allowing local attackers to escalate their access level to root privileges. This escalation is made possible by exploiting a buffer overflow weakness located in the GNU C Library’s ld.so dynamic loader. Assigned the identification CVE-2023-4911 and nicknamed “Looney Tunables,” this vulnerability is recognized as high-risk with a CVSS score of 7.8, signifying its high severity.
“Looney Tunables” allows bad actors to exploit a buffer overflow within the ld.so dynamic loader of the GNU C Library (glibc). This exploitation path provides local attackers with a mechanism to elevate their privileges to root level, thereby gaining unparalleled access and control over the system. Given that root privileges allow complete control over a system, attackers can execute a variety of malicious activities, from accessing sensitive information to altering system settings and functionalities, underscoring the critical nature of this security flaw.
The GNU C Library, or glibc, is fundamentally integral to the operation of a majority of systems based on the Linux kernel. This crucial library facilitates numerous system calls, from elementary functions like open, malloc, and printf to more complex ones such as exit, serving as the operational backbone for these systems. As such, glibc plays a pivotal role in the functionality and performance of Linux-based systems, making any vulnerability within this library particularly concerning for system administrators and users alike.
Within glibc, the ld.so dynamic loader is an element of paramount importance. This component is tasked with the significant responsibility of initializing and running programs on Linux systems that rely on glibc for their operation. Its role is crucial as it ensures the smooth execution of various applications and services on a Linux system, making it an indispensable part of the operating environment. Given its central function, any vulnerability within the ld.so dynamic loader is a matter of serious concern as it could potentially compromise the security and stability of a wide range of systems.
In light of the discovery of “Looney Tunables”, it is imperative for organizations and users utilizing Linux-based systems to acknowledge and address this security vulnerability swiftly to safeguard their systems against potential exploits. Immediate mitigation steps, including the application of security patches and updates, should be undertaken to protect systems from the risks associated with this high-severity vulnerability. Users and administrators should stay vigilant and monitor any security advisories and updates issued by the Linux community and cybersecurity experts to ensure timely and effective protection against this newly identified threat.
Furthermore, it would be prudent for organizations to adopt and enforce a set of security best practices. These might include the regular updating and patching of systems, the use of reliable security solutions, conducting cybersecurity awareness and training programs for employees, and implementing network segmentation strategies. These proactive measures can significantly enhance the security posture of an organization, providing robust defense mechanisms against “Looney Tunables” and other similar security threats that might emerge in the future.
The GNU C Library’s ld.so dynamic loader was found to include the security flaw, which exposed a crack in the armor. During the processing of the ‘GLIBC_TUNABLES’ environment variable, this security hole might manifest itself. To put it more simply, a hostile attacker on the local network who has some dexterity and cunning may insert text into the ‘GLIBC_TUNABLES’ environment variable. The attacker is able to execute code with dangerously high privileges if they do this while beginning binaries that have the SUID permission.
This vulnerability was discovered by the observant members of the Qualys Threat Research Unit. According to an investigation into the origin of the vulnerability, it was first discovered in April 2021, when glibc version 2.34 was being distributed. Ironically, the commit was made with the intention of improving security by correcting the behavior of SXID_ERASE in setuid applications.
It is important to keep in mind that attackers, even those with just the most basic privileges, are able to take advantage of this severe gap. since of their simplicity and since they don’t need any input from the user, these assaults are particularly alarming.
There is a solution available for those who are unable to update their software promptly and do not have the Secure Boot capability. A SystemTap script has been made available, and once it is enabled, it will immediately stop any setuid application that has been launched with the ‘GLIBC_TUNABLES’ environment variable present. To securely call the setuid program thereafter, one just has to unset or remove the ‘GLIBC_TUNABLES’ environment variable, for instance by executing the command ‘GLIBC_TUNABLES= sudo’.
According to Saeed Abbasi, who is the Product Manager at Qualys’ Threat Research Unit, “Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, underscores the profound and ubiquitous nature of this vulnerability.”
While the Qualys team has indicated that they will not release its exploit code at this time, the inherent simplicity of transforming the buffer overflow into a data-only assault suggests that other research teams may soon take up the challenge.
Systems that are running Debian 12 and 13, Ubuntu 22.04 and 23.04, or Fedora 37 and 38 are vulnerable to the CVE-2023-4911 flaw and should be avoided at all costs. The extent of the possible harm might be enormous due to the widespread use of the glibc library in Linux’s many different distributions. Distributions such as Alpine Linux, which use the musl libc library instead of the glibc library, are given a little bit of wiggle room.
According to Fortinet, ransomware activity has intensified, registering an increase of 13 times compared to the beginning of 2023 in terms of all malware detections. The rise of Ransomware-as-a-Service has primarily driven this surge in ransomware variations.
According to a recent study, 65% of organizations identified ransomware as one of their top three threats to their operational viability. Additionally, ransomware is the most significant threat for 13% of these organizations.
Here’s a collection of free ransomware guides and checklists you can access without registration.
#StopRansomware guide
This guide came from the Joint Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) and was developed through the Joint Ransomware Task Force. This guide includes two primary resources:
Ransomware and Data Extortion Prevention Best Practice
Ransomware and Data Extortion Response Checklist
Mitigating malware and ransomware attacks
This guidance from the National Cyber Security Centre UK helps private and public sector organizations deal with malware’s effects (including ransomware). It provides actions to help organizations prevent a malware infection and steps to take if you’re already infected.
Definitive guide to ransomware
As more ransomware attacks and variants rise monthly, IBM Security X-Force believes ransomware will continue to threaten businesses in the coming years. This document provides guidance to organizations before and during a ransomware attack.
Mapping the ransomware landscape
In partnership with the DACG, ANSSI publishes the guide: Ransomware attacks, all concerned – How to prevent them and respond to an incident. The guide is very practical, particularly at general and IT managers in the private sector and local authorities.
Ransomware response checklist
If your organization is a victim of a ransomware incident, this checklist may assist in identification, containment, remediation, and system(s) recovery. Organizations are recommended to review and familiarize themselves with the steps in the checklist before an incident.
Ransomware survival guide: Recover from an attack
In this ransomware survival guide, the authors share lessons they’ve learned and best practices they’ve developed to help organizations coordinate their response to an attack and make timely, strategic decisions through all phases of the response.
The ultimate guide to ransomware
This guide explains what ransomware is, how it works, and how you can remove it and protect yourself.
Cybersecurity for small business: Ransomware
Learn the basics for protecting your business, take a quiz about what your learned. The tips were developed in partnership with the National Institute of Standards and Technology, the U.S. Small Business Administration, and the Department of Homeland Security.
Aspects of ransomware covered by the Budapest Convention
The Cybercrime Convention Committee just adopted a guidance note on ransomware. It shows how the provisions of the Convention on Cybercrime and its new Second Additional Protocol can be used to criminalize, investigate and prosecute ransomware-related offences and to engage in international cooperation.
Atlassian fixed a critical zero-day flaw in its Confluence Data Center and Server software, which has been exploited in the wild.
Software giant Atlassian released emergency security updates to address a critical zero-day vulnerability, tracked as CVE-2023-22515 (CVSS score 10), in its Confluence Data Center and Server software.
The flaw CVE-2023-22515 is a privilege escalation vulnerability that affects Confluence Data Center and Server 8.0.0 and later. A remote attacker can trigger the flaw in low-complexity attacks without any user interaction.
The company is aware that the vulnerability has been exploited in attacks.
“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.” reads the advisory published by the company.
“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously.”
According to the advisory, the vulnerability doesn’t impact Atlassian Cloud sites. If customer’s Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
“It’s unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating. Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself.” reads a post published by Rapid7. “It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default.”
If admins are unable to upgrade their Confluence instances, as an interim measure the company recommends restricting external network access to them.
Atlassian also recommends mitigating known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances.
The software firm also recommends checking instances for the following indicators of compromise:
unexpected members of the confluence-administrator group
unexpected newly created user accounts
requests to /setup/*.action in network access logs
presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
In September 2022, threat actors were observed targeting unpatched Atlassian Confluence servers as part of an ongoing crypto mining campaign.
Trend Micro researchers warned of a crypto mining campaign targeting Atlassian Confluence servers affected by the CVE-2022-26134 RCE vulnerability disclosed in early June 2022.
Qualcomm recently issued warnings about three zero-day vulnerabilities within its GPU and Compute DSP drivers that are currently being exploited by hackers. These warnings were initiated based on information received from Google’s Threat Analysis Group (TAG) and Project Zero teams. According to their reports, there is limited but targeted exploitation of vulnerabilities identified as CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063.
In response to these imminent threats, Qualcomm has rolled out security updates designed to rectify the issues present within its Adreno GPU and Compute DSP drivers. The company has promptly communicated this information to the affected Original Equipment Manufacturers (OEMs), urging them to implement these security updates without delay.
One of the significant flaws, CVE-2022-22071, which was initially disclosed in May 2022, is categorized as a high-severity issue, with a CVSS v3.1 score of 8.4. This vulnerability is a use-after-free bug that can be exploited locally and affects widely-used chips, including the SD855, SD865 5G, and SD888 5G.
However, Qualcomm has opted to remain tight-lipped regarding the details of the other actively exploited vulnerabilities, namely CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063. Further information on these vulnerabilities is expected to be disclosed in the company’s security bulletin scheduled for December 2023.
In addition to these, Qualcomm’s recent security bulletin also shed light on three other critical vulnerabilities, each with severe implications:
CVE-2023-24855 involves memory corruption within Qualcomm’s Modem component. This occurs when processing security-related configurations prior to the AS Security Exchange and has a CVSS v3.1 score of 9.8.
CVE-2023-28540 relates to a cryptographic issue within the Data Modem component, resulting from insufficient authentication processes during TLS handshakes, with a CVSS v3.1 score of 9.1.
CVE-2023-33028 involves memory corruption in the WLAN firmware which occurs during the copying of pmk cache memory without conducting necessary size checks, and it holds a CVSS v3.1 score of 9.8.
In light of these findings, Qualcomm disclosed an additional 13 high-severity flaws along with three more vulnerabilities classified as critical, all of which were identified by the company’s engineers. In total, Qualcomm has released updates to address 17 vulnerabilities across various components while highlighting that three zero-day vulnerabilities are currently being actively exploited.
Of these identified vulnerabilities, three have been classified as critical, 13 are high-severity, and one is medium-severity. Qualcomm’s advisory noted: “There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation.”
To safeguard against these vulnerabilities, patches for issues in the Adreno GPU and Compute DSP drivers have been issued and are readily available. OEMs have been duly notified and strongly urged to deploy these security patches at the earliest convenience to prevent potential exploitation.
Users of Qualcomm products are advised to stay vigilant and apply updates provided by OEMs as soon as they are released to ensure their devices are protected from these vulnerabilities. This proactive approach to device security is crucial in mitigating the risk of exploitation and maintaining the integrity and functionality of devices that play a pivotal role in various technological applications.
A critical Zip Slip vulnerability was discovered in the open-source data cleaning and transformation tool ‘OpenRefine’, which allowed attackers to import malicious code and execute arbitrary code.
OpenRefine is a strong Java-based, free, open-source tool for handling messy data. This includes cleaning it, converting it into a different format, and expanding it with web services and external data.
According to SonarCloud, the Zip Slip vulnerability in OpenRefine allows attackers to overwrite existing files or the extraction of contents to unexpected locations. This vulnerability is caused by insufficient path validation while extracting archives.
Details of the OpenRefine Zip Slip Vulnerability
The project import feature of OpenRefine versions 3.7.3 and earlier is vulnerable to a Zip Slip vulnerability (CVE-2023-37476) with a CVSS score of 7.8.
Although OpenRefine is only intended to execute locally on a user’s computer, a user can be tricked into importing a malicious project file. Once this file is imported, the attacker will be able to run arbitrary code on the victim’s computer.
Web Interface of OpenRefine Tool
“The vulnerability gives attackers a strong primitive: writing files with arbitrary content to an arbitrary location on the filesystem. For applications running with root privileges, there are dozens of possibilities to turn this into arbitrary code execution on the operating system: adding a new user to the passwd file, adding an SSH key, creating a cron job, and more”, researchers said.
Fix Available
OpenRefine Version 3.7.4, published on July 17, 2023, has a fix for the issue.
In light of this, Users are recommended to update to OpenRefine 3.7.4 as soon as feasible.
MITRE ATT&CK, a common language for cybersecurity professionals to communicate with each other and better understand real-world adversary behaviors, celebrates its 10th anniversary this fall. In this Help Net Security interview, project leader Adam Pennington discusses the framework, how defenders can best use it, and what’s next.
What were the main drivers behind the creation of the MITRE ATT&CK framework back in 2013?
The framework was born out of an internal exercise performed at MITRE’s Ft. Meade, Md. site in 2013. We put sensors on desktop computers to analyze a series of red and blue team cyber operations, which wasn’t common back then. White team observers noticed that the red team’s actions weren’t representative of real-world adversary behavior. When they requested that the red team adjust their tactics, they lacked a unified language to explain themselves.
The white team changed course by pulling actual cyber-attack scenarios from honey pots of real data for the blue and red teams to design operations around. Ultimately, the exercise culminated with a basic Excel spreadsheet outlining different intrusion techniques using a common language. It was incredibly helpful to us internally, so on the chance it would be useful to the rest of the world, we released it publicly as MITRE ATT&CK.
How has the framework evolved over the past decade, especially in the last five years, where we’ve seen a surge in its popularity?
What started out as an Excel spreadsheet identifying one adversary and one tactic has transformed into a framework referenced and contributed to by users across the world. By the time it reached the public, there were around 100 behaviors, and in 2016 we began tracking groups and software based on open-source threat intelligence reporting. In 2018, we amassed enough interest to launch ATT&CKcon (the fourth iteration of the user conference will run Oct. 24-25 at MITRE’s McLean, Va., headquarters).
In the last five years, we’ve expanded the core framework with ATT&CK for industrial control systems, mobile, Linux, various cloud platforms (Office 365, Azure, etc.), network devices (computer switches and routers), and more. We continue to make information digestible and user friendly by including both what adversary tactics are, and techniques users can employ to defend against them. To that end, we recently added pseudocode analytics directly to ATT&CK that people can use in their defenses as an “easy button.”
How does the framework stay up to date with real-world observations and contributions? How often is it updated?
As I’m answering this question, we’ve gotten at least one contribution from a community member via email—evidence that we receive updates often! ATT&CK is heavily community driven. Our framework isn’t effective without users keeping us abreast of the latest threats.
Additionally, we monitor social media, public reports from various government entities, and updates from incident response firms. Behind the scenes, we have large teams maintaining and organizing information for each respective arena.
We release a new version of ATT&CK every six months. After trying out shorter and longer timeframes, we found six months to be the sweet spot satisfying both organizations that bake ATT&CK into their products and defenses and those who want information fast.
Given the evolving nature of cyber threats, what long-term value does the MITRE ATT&CK framework offer to cybersecurity professionals?
ATT&CK continues to evolve right alongside adversaries, but historically this is a space that changes slowly over time. Bad actors exhibit relatively routine methods once they’ve gained entry into a network. Even though the exact piece of software, IP address, or even the human on the other end may differ, there are fundamental attack sequences that don’t often fluctuate. Behaviors documented in ATT&CK a decade ago are still seen today.
On the other hand, there are new spaces ripe for intrusion like cloud-based products. We’re expanding the framework in step with new technologies.
For organizations that find the initial implementation process complex, what advice do you have to ease this learning curve?
Start with bite size pieces. Time and time again, we’ve seen cybersecurity teams from small organizations attempt to comprehensively integrate ATT&CK into their defenses, just to quickly realize they’re in over their heads. The framework is not one-size-fits-all.
To solve for this challenge, we recommend multiple strategies focused on starting small. The framework is divided into techniques, so an organization may begin with a single tactic relevant to their system. For example, if you’re concerned with identity management, you can dig into how adversaries are stealing passwords and identify overlap between their behaviors. Once you reach those prioritization points, it’s easier work backwards and add protections against them.
What are some of the less obvious applications of the framework that professionals in the cybersecurity industry should be aware of?
We’re pleasantly surprised to see how ATT&CK is being leveraged in academic environments, from high schools to universities. One high school in Virginia invited our team to come in and speak to the work, which they previously integrated into their curriculum.
Several private sector organizations also have woven the framework into employee education. I recently spoke to somebody whose company regularly discusses a “technique of the week” pulled from the ATT&CK database.
What future enhancements or expansions do you envision for the MITRE ATT&CK framework?
As adversaries explore new exploitation methods, we’ll be there cataloging their every move. Our team continues to advance threat intelligence reporting on spaces growing in popularity, such as Linux and operating systems beyond Windows.
The goal is, and has always been, to build a community of cyber defenders. We know ATT&CK is a boon for larger organizations, but we’re working on ways to make it more accessible for smaller and less-resourced entities.
Threat actors have begun utilizing an innovative approach to zero-point font obfuscation, a pre-existing technique, in an attempt to deceive users of Microsoft Outlook. They do so by creating an illusion that certain phishing emails have been thoroughly scanned and cleared by antivirus programs, thus increasing the chances of these deceptive emails bypassing security protocols. This not only aids in evading security measures but also enhances the probability of recipients falling prey to these fraudulent schemes.
Jan Kopriva, an analyst at the SANS Internet Storm Center, encountered a phishing email that cleverly employed text written in zero-pixel size font. This technique, originally documented by Avanan (a subsidiary of Check Point) researchers in 2018 and known as ZeroFont Phishing, was being utilized in a distinct and innovative manner, according to Kopriva’s observations. Historically, cyber attackers have integrated zero font size text within phishing emails to disrupt the continuity of text that is visible, making it increasingly difficult for automated email scanning systems like those implemented by Outlook to flag suspicious emails.
However, Kopriva noticed a variation in the use of the ZeroFont technique, which diverged from its original purpose. Instead of utilizing it to obstruct automated scanning systems from labeling the email as potentially harmful or fraudulent, it was applied to craft an illusion of trustworthiness for the recipient. Kopriva elaborated that the technique was being used to modify the text that is usually displayed in Outlook’s listing pane—a section adjacent to the body of emails that provides users with a sneak peek into the email content.
Rather than presenting the typical email subject line followed by the initial few lines of the email—which could potentially raise red flags about a phishing attempt—the listing pane under this technique displayed the subject line and an additional line of text. This added text falsely indicated that the email had undergone a security scan and was deemed safe by a threat protection service.
Avanan researchers have also discovered another manipulation of this technique, dubbed the “One Font” technique. In these instances, threat actors embed extremely small text within the zero- or one-point font range as part of their strategy to develop more elusive and sophisticated phishing scams. This minuscule font size effectively dismantles email scanning techniques relying on semantic analysis, generating confusion for the scanning systems while remaining undetectable to the recipients due to its unreadable size.
In the specific phishing email Kopriva analyzed, the attackers ingeniously incorporated text that implied the email had been verified and secured. This was achieved by inserting text in zero font size ahead of the email’s actual content. As a result, in Outlook’s listing pane, the user would see text confirming the email’s security status immediately below the subject line—instead of the true opening line of the phishing email. This deceptive approach takes advantage of Outlook’s method of displaying email text, thus exploiting it to the attacker’s benefit.
Kopriva acknowledged the possibility that this tactic has been deployed undetected for a while now. Nonetheless, it represents an additional tool in the arsenal of cyber threat actors, enhancing their ability to launch effective phishing campaigns. As defenders against cyber threats, awareness of this tactic is crucial. He recommends that organizations actively engaged in conducting security awareness training focused on phishing should incorporate information on this technique. This knowledge would empower employees to recognize and appropriately respond to deceptive emails employing this technique as an anti-detection strategy, thus fortifying organizational defenses against such cyber threats.
If you want a cyber liability policy, or want the lowest possible premiums, it is important to understand the security controls that most cyber underwriters expect to see. They will differ based on carrier, individual underwriter, organization size, industry, etc. and are subject to change.
The cyber insurance market continues to be marked by volatility, keeping insureds and underwriters alike on their toes.
In early 2021, the market shifted very abruptly, and increasing frequency, severity, and the sophistication of cybercrime pushed cyber underwriters to re-evaluate their approach to pricing, appetite, coverage, and underwriting.
Insureds renewing cyber insurance programs in the last 18 months know that underwriters have substantially upped their game when it comes to underwriting cyber risk.
At the beginning of this shift to a hard market, there was a definitive change to more detailed and technical underwriting. There was also inconsistency regarding the network security controls that were considered the most important, but today, the markets are in closer alignment.
Below are the top 10 network security controls that most cyber underwriters expect to see. They will differ based on carrier, individual underwriter, organization size, industry, etc. and are subject to change.
1) Comprehensive Multi-factor Authentication (MFA) plus Strong Password Controls
MFA (privileged access, remote access, remote cloud-based apps/O365) and strong password controls protect an organization against phishing, social engineering and password brute-force attacks and help prevent logins from attackers exploiting weak or stolen credentials. For many cyber underwriters, this is the most important control.
2) Network Segregation and Network Segmentation
Network segregation (separation of critical networks from the internet) and network segmentation (splitting larger networks into smaller segments) help reduce the risk and potential impact of ransomware attacks and will improve IT professionals’ auditing and alerting capabilities, which will assist in identifying cyber threats and responding to them.
3) Strong Data Backup Strategy
A strong data backup strategy is typically part of a solid disaster recovery/business continuity plan.
Underwriters want to see daily data backups, backups stored in more than one location, access rights limited to data backups, etc.
4) Disabled Administrative Privileges on Endpoints
Disabling administrative privileges on endpoints improves security posture. An administrative end-user on an endpoint for even a few minutes can lead to catastrophic data breaches if the endpoint is compromised.
5) Security Awareness Training for Employees
Security awareness has never been more important. The threat environment is evolving rapidly. Regular and frequent employee training is a must in today’s environment.
6) Endpoint Detection and Response (EDR) and Anti-Malware
EDR provides advanced measures for detecting threats and provides the ability to identify the origin of an attack as well as how it is spreading.
Anti-malware is a version of EDR — it scans your system for known malware such as trojans, worms, and ransomware, and upon detecting them, removes them. Underwriters look for both.
7) Sender Policy Framework (SPF)
SPF plays an important role in email authentication. It helps prevent emails from unauthorized senders from hitting an employee’s inbox. Underwriters look for this defensive tool.
8) 24/7 Security Operation Center (SOC)
A dedicated SOC acts as the first line of defense against cyber threats. The analysis and threat hunting conducted by SOC teams help prevent attacks from occurring in the first place.
SOCs provide increased visibility and control over security systems, enabling the organization to stay ahead of potential attackers. Cyber underwriters view this as a key proactive approach to network security.
9) Security Information Event Management (SIEM) Platform
SIEM tools collect and aggregate log and event data to help identify and track breaches.
They are powerful systems that provide security professionals with insight into what is happening in their IT environment and help track relevant events that have happened in the past.
10) Strong Service Accounts Security in Active Directory
Assigning service accounts in built-in privileged groups, such as the local Administrators or Domain Admins group, can be risky. Underwriters want service accounts removed from Domain Admin groups.
The implementation of these top 10 network security controls does not represent the full extent of the cyber underwriting process nor will they be the basis for a premium discount.
There are a host of additional controls, policies, procedures, and processes that underwriters will be evaluating. But checking these boxes will provide insureds with a solid foundation designed to meet the baseline expectations of cyber underwriters.
Google has designated a brand new CVE number for a major security vulnerability that has been discovered in the libwebp image library, which is used for displaying pictures in the WebP format. This flaw has been found to be exploited in the wild by malicious users. A major vulnerability that existed in Google Chrome for Windows, macOS, and Linux was addressed by a security update that was provided by Google. A CVE ID of CVE-2023-4863 has been assigned to the security flaw, and the vulnerability has been rated as having a severity of 8.8 (High).
As a result of the analysis of the vulnerability, it was found that the libwebp library included a heap buffer overflow vulnerability. This vulnerability allows a threat actor to conduct an out-of-bounds memory write by using a crafted HTML page to trigger the issue.
However, Google has once again reported this vulnerability, which is now known as CVE-2023-5129 and is being monitored. After further investigation, it was discovered that the vulnerability known as CVE-2023-41064 and this one also impacted the same libwebp library. The development comes after Apple, Google, and Mozilla provided remedies to address a flaw that may enable arbitrary code execution when processing a carefully designed picture. The bug is tracked separately as CVE-2023-41064 and CVE-2023-4863. The execution of arbitrary code might lead to a security breach. It is likely that both problems are solutions to the same fundamental issue that exists in the library. CVE-2023-41064 is claimed to have been linked with CVE-2023-41061 as part of a zero-click iMessage attack chain termed BLASTPASS to deliver a mercenary malware known as Pegasus, as stated by the Citizen Lab. At this time, we do not have access to any other technical specifics.
But the choice to “wrongly scope” CVE-2023-4863 as a vulnerability in Google Chrome belied the reality that it also affects practically every other program that depends on the libwebp library to handle WebP pictures, showing that it had a wider effect than was originally supposed. CVE-2023-4863 was discovered by Google security researchers and is tracked by the CVE identifier.
An investigation carried out by Rezillion over the last week has uncovered a comprehensive list of frequently used software programs, code libraries, frameworks, and operating systems that are susceptible to the CVE-2023-4863 vulnerability.
Additionally, the security researcher who found the vulnerabilities CVE-2023-41064 and CVE-2023-4863 reported both of them. This indicates that the researcher brought this issue to the attention of both firms, which led to the creation of two distinct CVEs in the past.
Vulnerability scanners delve into systems to uncover security gaps. The primary mission? To fortify organizations against breaches and shield sensitive data from exposure.
Beyond merely pinpointing weaknesses, vulnerability scanning is a proactive measure to anticipate potential attacker entry points. The essence of this process lies not just in detection but in remediation and refining strategies, ensuring that vulnerabilities are prioritized.
Here’s a list of 5 free, open-source vulnerability scanners you can try today.
Nuclei
Nuclei is a scanner designed to probe modern applications, infrastructure, cloud settings, and networks, assisting in identifying and correcting vulnerabilities. Internally, Nuclei relies on the principle of templates. These YAML files detail how to identify, rank, and fix specific security threats. A global community of security professionals and researchers actively contributes to the template library. This ecosystem, continuously updated within the Nuclei tool, has received over 5000 templates.
Nikto
Nikto is a web server scanning tool that conducts in-depth tests on web servers. It checks for over 6700 potentially dangerous files/programs, including certain files or programs, inspects for outdated versions of more than 1250 servers, and looks for particular issues in over 270 server versions. Nikto isn’t crafted for discreet operations. It aims to assess a web server as swiftly as possible, leaving evident traces in log files or being detectable by IPS/IDS systems. Nevertheless, it supports LibWhisker’s methods to counteract IDS, whether to experiment with or evaluate an IDS setup.
Cariddi
Cariddi enables you to take a list of domains, crawl URLs, and scan for endpoints, secrets, API keys, file extensions, tokens, and more.
OpenVAS
OpenVAS is a comprehensive vulnerability scanning tool. It offers both unauthenticated and authenticated testing, supports a range of high-level and low-level internet and industrial protocols, provides performance optimization for large-scale scans, and features a robust internal scripting language to design any vulnerability test.
Wapiti
Wapiti is a tool designed to assess the security of your websites or web applications. It conducts “black-box” scans, meaning it doesn’t analyze the source code. Instead, it navigates through the webpages of the live web application, searching for scripts and forms to input data. After identifying the list of URLs, forms, and their respective inputs, Wapiti functions like a fuzzer, introducing payloads to determine if a script is susceptible to vulnerabilities.
CrowdStrike achieved the highest coverage across the last two consecutive MITRE Engenuity ATT&CK® Evaluations. We achieved 100% protection, 100% visibility and 100% analytic detection coverage in the Enterprise Round 5 evaluation — which equates to 100% prevention and stopping the breach. We also achieved the highest detection coverage in the Managed Security Services Providers testing.
However, interpreting the results of the Round 5 test can quickly become very confusing, with endless representations of test results from every provider. Unlike other third-party analysts, MITRE doesn’t place vendors on a quadrant or graph, or provide a comparative score. It leaves interpretation up to each vendor and customers themselves — meaning you’ll be flooded with claims of “winning” the evaluation.
In MITRE, there are no winners or leaders, only raw data on a vendor’s coverage against either a known or unknown adversary. Without better guidelines and enforcement from MITRE, the results will continue to confuse customers, given the wildly different solutions being tested and approaches to the evaluation.
Evaluations like MITRE can help clarify your choice. We use the evaluations to further sharpen the capabilities of the CrowdStrike Falcon® platform, as well as ensure our customers understand our point of view on cybersecurity: Stopping the breach requires complete visibility, detection and protection that you can actually use in a real-world scenario.
How Should You Interpret the Results?
First, it’s important to understand the nuances of the two types of evaluations run by MITRE: open-book and closed-book tests.
Open-book testing for known attackers: The MITRE ATT&CK Enterprise Evaluations, such as the recent Round 5, give vendors months of advance notice on the adversary being emulated and their tactics, techniques and procedures (TTPs), and then measure for coverage in a noiseless lab environment.
Figure 1. CrowdStrike detects 143 (100%) steps during the MITRE Engenuity ATT&CK Evaluation: Enterprise Round 5 with high-quality analytics (Tactic and Technique)
Not all results are equal, which is hard to see in a comparative chart like this, as vendors have the opportunity to tune their systems in advance and apply configuration changes on-the-fly with teams of experts who may be working behind the scenes 24/7 during the testing period. For instance, we’ve seen vendors make updates to operating systems for the test, while others manually fix verdicts or add new context and detections.
Round 5 emulated Turla, which CrowdStrike classifies as VENOMOUS BEAR, a sophisticated Russia-based adversary. Given their advanced tactics, few vendors were able to identify all of their tradecraft, with the average visibility being 83%. High-quality analytic detection of Tactic and Technique were even less, with the average dropping to 66% — with CrowdStrike achieving full 100% coverage with analytic detections.
High-quality analytics are extremely important, as they provide insight into what an adversary is attempting to achieve and how they are attempting to achieve it. High-quality analytic detection provides the context that analysts need, letting them spend less time trying to determine if the alert is a true or false positive, and also provides insight into what an adversary is trying to do. With tactic and technique detections, security analysts can spend more doing what matters: stopping breaches.
In a comparative chart like the one above, it isn’t possible to see if the capability provided is noisy annotated telemetry or important context added to a high-fidelity alert.
Closed-book testing for unknown attackers: MITRE’s Managed Security Services Providers test is a truer measure of how vendors will protect a customer in the real world, with no do-overs or chances to hunt for additional evidence. The only notification vendors receive in advance is a start date, with no visibility into the adversary being emulated or their TTPs. MITRE runs the test, and you get a coverage score.
Figure 2. CrowdStrike detected 99% of adversary techniques during MITRE ATT&CK Evaluations for Managed Security Services Providers.
To find the cybersecurity partner for you, it’s worth reviewing and correlating performance across many different tests that use different TTPs and force products to behave differently to find the true outcome of the platform. Ensure you look at the results of both open-book and closed-book tests, including those that measure false positives and performance, and know exactly what vendors did to achieve their results. Most importantly, make sure you can achieve those same outcomes in your enterprise. Sophisticated adversaries don’t provide the luxury of a heads-up, and customers won’t have potentially dozens of people working behind the scenes on their deployment in the real world.
Stopping Breaches Matters
Next, it’s critical to evaluate how effectively a vendor can stop adversaries without manual intervention. In the open-book Round 5 test, the average blocking rate was 86%, compared to CrowdStrike’s 100% protection. Even more important than the coverage is understanding how the scores were achieved.
When digesting the MITRE results, ask vendors these three questions, and ask them to prove it:
Did they use easily bypassed signatures or custom detections requiring prior knowledge?
Are the analytic detections and protections high-fidelity and suitable at enterprise scale?
How can I reproduce this result in my own environment?
For comparison, the CrowdStrike Falcon platform stopped 13 of the 13 scenarios with no prior knowledge, using advanced AI and behavior detection. Our AI-powered prevention will be just as effective in your environment as in MITRE’s testing, against both known and unknown adversaries in the real world.
How Do You Bring It All Together?
At the end of the day, how a platform achieved its results matters as much as coverage itself. With open-book tests like the Enterprise Evaluation Round 5, you could hire enough experts to manually add custom tags, detections and context to achieve perfect coverage. That’s why you’ll see vendors shouting their coverage from the rooftops — as at face value many did well.
All comparative charts, including the ones we’ve shown above, only tell part of the story. What’s important is looking at the details: how you do it matters as much as what you do. If you can’t actually achieve the results in your environment, it’s simply a number on a comparative chart. It can’t stop adversaries and it can’t stop breaches.
Ask your provider, including us, how they achieved their scores — and ensure it wasn’t a herculean manual effort that could never work in the real world. It’s also important to understand exactly what the full bill-of-materials looks like to reproduce the results. Some vendors require a complex point product deployment, others an expensive combination of software and network security hardware, and others a significant headcount investment to operate.
The factor to consider most carefully are vendors that use custom test configurations that are impossible to reproduce in a real-world production environment. With CrowdStrike, our platform will always be delivered via our single lightweight agent that’s easy to deploy, easy to manage and never requires a reboot. We consolidate cybersecurity, with better outcomes, at a much better ROI.
We stand behind our platform and the way we delivered our superior coverage across both MITRE’s open-book and closed-book testing for known and unknown adversaries — providing true breach prevention for the real world.
We encourage everyone in the industry to follow MITRE’s intention: Its testing yields valuable raw data that needs to be applied in your environment — with the context around how a vendor achieved its results — to be meaningful. And to our friends at MITRE, the time is now to shut down the endless noise and ensure customers understand your purpose: to make the world safer with better-informed decisions.
